The LDAP group cn=under_NDA is apparently no longer used? It seems/seemed to be used for deployment-prep, but the current members are apparently mostly older accounts any no recent staff additions are present there. If it's confirmed that it's no longer used, let's remove it to minimise confusion. If it should still be in use, it needs to be pruned of accounts no longer around.
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T142815 Enhance account handling (meta bug) | |||
| Resolved | hashar | T142822 Check status of under_NDA group |
Event Timeline
Comment Actions
To get input about deployment-prep you need to add Beta-Cluster-Infrastructure
(excluding the list of members/sudoUser)
dn: cn=under_NDA,ou=sudoers,cn=deployment-prep,ou=projects,dc=wikimedia,dc=org objectClass: sudorole objectClass: top cn: under_NDA sudoHost: ALL sudoCommand: ALL sudoOption: !authenticate
I don't think it's been used for years. Was probably for one of the original SSL certificate ideas, but we went with Let's Encrypt instead.
Comment Actions
The under_NDA group was meant to maintain yet another list of people under NDA. It has been created ages ago with the idea of using real SSL/TLS certificates on the beta cluster, had that been the cases, we would have wanted to make sure access to those private certificates would be limited.
They would have been deployed on the SSL/TLS termination proxies which is handled by Nginx which on beta would be cohosted on the caches / varnish instances. That under_NDA group would have let us restrict sudo/root access on the cache instances.
One will want to review whether the sudo policy in wikitech is still of any use. I have seen mails notifications stating that beta might be using lets encrypt certificate, I guess we will want the certificate private keys to only be readable by people under NDA.
Comment Actions
No. It is actively using Let's Encrypt certificates now without any such requirement. If we needed new certs there's no cost to pay for them. If someone abused the certs to impersonate beta.wmflabs.org, they'd be impersonating something that nobody trusts with anything private anyway, and they wouldn't need to impersonate the site because if they got that far they already have the ability to change how MediaWiki behaves, change various infrastructure configs, etc.
The group long predates LE existing, and you wouldn't just need to cut off access to the cache machines, but also salt and puppetmaster, which is unacceptable for a labs project.